Hundreds of data brokers haven’t registered with state consumer protection agencies, according to The Electronic Frontier Foundation (EFF) and Privacy Rights Clearinghouse (PRC).

There are different kinds of data brokers, but what they all have in common is that they gather personally identifiable information (PII) from publicly available data, datasets stolen in cybercrimes, and other places. They then sell the data on, for example, for background checks or marketing purposes.

One of the main dangers caused by all these data brokers is that they trade amongst themselves. Because of this, they not only gather information about an ever increasing number of people but also get their hands on information that isn’t even relevant to their field of expertise.

Data brokers have drawn attention from the public after being involved in leaking several large databases, with the worst being the National Public Data (NPD) leak. The NPD data breach made international headlines because it affected hundreds of millions of people, and it included Social Security Numbers.

Many states have privacy laws in place that govern the use of private data, but some have or are working on specific laws for data brokers. In recent years, California, Texas, Oregon, and Vermont have passed data broker registration laws that require brokers to identify themselves to state regulators and the public. Four states have passed Bills requiring data broker registration, but they have not yet been made law: New Jersey, Delaware, Michigan, and Alaska.

Analysis by the EFF and PRC shows that data brokers who registered in one state have failed to do so in others. And it’s not just a few: 291 companies didn’t register in California, 524 in Texas, 475 in Oregon, and 309 in Vermont (these numbers come from data analyzed from early April 2025). And that doesn’t even include all the shady data brokers that failed to register anywhere.

There could be several reasons for this to happen.

• Even though many data brokers operate across states, they may be unaware of the regulations in all of them.
• There is no federal standard, so they have to navigate through four distinct laws with varying definitions, fees, deadlines, and security demands.
• Some brokers may actively choose to skip registration to reduce costs, especially when state-level enforcement is weak and registration fees, like those in California, are high.

When brokers consider registration fees alongside the expenses of audits and compliance with other regulations, it’s possible that they conduct a cost-benefit analysis that may lead them to forgo registration.

The researchers added one disclaimer:

“This analysis also does not claim or prove that any of the data brokers we found broke the law. While the definition of ‘data broker’ is similar across states, there are variations that could require company to register in one state and not another.”

At the end of the day, consumers deserve to be protected and federal data broker regulation could be an important step in that direction.

Late last year, Senators introduced a bill that would prohibit data brokers from selling or transferring location and health data. Unfortunately, the Health and Location Data Protection Act of 2024 did not advance.

We don’t just talk about your data, we help remove it from broker sites

Cybersecurity risks should never spread beyond a headline. Clean up your data using Malwarebytes Personal Data Remover (US only).

Ryan C. Smith

Ryan C. Smith has been doing professional computer support since 1996.  He worked at all the major companies such as SONY, HP, Network Appliances, Palm and many more.  He was top of his class at Heald College for Computer Technology.  He is familiar with Windows Servers, Windows, Networking, Linux, and Web Servers.  He has a photographic memory when it comes to computers.